Skip to main content

FedRAMP Tailored LI-SaaS

Table of Contents

1. Information System Name

This FedRAMP Tailored Low Impact Software as a Service (LI-SaaS) Framework provides an overview of the security requirements for the SHORTNAME-FULLSYSTEMNAME (SHORTNAME) and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed, or stored by the system. Information security is vital to our critical infrastructure and its effective performance and protection is a key component of our national security program. Proper management of information technology (IT) systems is essential to ensure the required risk impact level of confidentiality, integrity, and availability of the data transmitted, processed, or stored by the SHORTNAME system is in place and operating as intended.

The security safeguards implemented for the SHORTNAME system meet the policy and control requirements set forth in this FedRAMP Tailored LI-SaaS Framework. All systems are subject to monitoring, consistent with applicable laws, regulations, agency policies, procedures, and practices.

Table 1‑1. Information System Identifier, Name, and Abbreviation

Unique Identifier Information System Name Information System Abbreviation
UUID SHORTNAME-FULLSYSTEMNAME SHORTNAME

2. Information System Categorization

The overall SHORTNAMEsensitivity categorization is recorded in Table 2.1, Security Categorization, which follows. The completed FedRAMP FIPS 199 document is included in this document as Attachment 3 – FedRAMP FIPS Security Categorization.

Table 2‑1. System Security Categorization

System Sensitivity Level:  
SHORTNAME-FULLSYSTEMNAME Low Impact

2.1. Information Types

This section describes how the information types used by SHORTNAME are categorized for confidentiality, integrity, and availability of sensitivity levels.

The following tables identify the information types that are input, stored, processed, and/or output from SHORTNAME. The selection of the information types is based on guidance provided by the Office of Management and Budget (OMB) Federal Enterprise Architecture (EA) Program Management Office (PMO) Business Reference Model 2.0, National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60 (NIST SP 800-60) , Guide for Mapping Types of Information and Information Systems to Security Categories.

FIPS 199[1] allows for a full range of information types. In order to meet specific, niche needs of systems, Agencies can specify the types of information being placed in the cloud environment. For FedRAMP Tailored LI-SaaS, Agencies can specify the type(s) of information that will reside in FedRAMP Tailored LI-SaaS applications/systems.

To be considered a FedRAMP Tailored LI-SaaS cloud application/service, the answer to all of the following questions must be “yes:”

  1. Does the service operate in a cloud environment?

  2. Is the cloud service fully operational?

  3. Is the cloud service a Software as a Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?

  4. Does the cloud service contain no personally identifiable information (PII), except as needed to provide a login capability (username, password and email address)?

  5. Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?

  6. Is the cloud service hosted within a FedRAMP-authorized Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), or is the CSP providing the underlying cloud infrastructure?

Table 2‑3. Sensitivity Categorization of Information Types for the SHORTNAME-FULLSYSTEMNAME

Information Type

(Use only information types from NIST SP 800-60, Volumes I and II as amended)

 NIST 800-60 identifier for Associated Information Type Confidentiality Integrity Availability
<Information Type> <NIST Identifier> Low Low Low
<Information Type> <NIST Identifier> Low Low Low
<Information Type> <NIST Identifier> Low Low Low

2.2. Security Objectives Categorization (FIPS 199)

Based on the information provided in Table 2.3, Sensitivity Categorization of Information Types for the SHORTNAME default to the high-water mark for the Information Types as identified in Table 2.4, Security Impact Level, below.

If the security impact level for confidentiality, integrity, and availability for any of the identified data types is moderate or high, the information system is not a FedRAMP Tailored LI-SaaS system. The Cloud Service Provider (CSP) must meet the standard FedRAMP Low, Moderate, or High impact baseline security requirements, as applicable, and complete the requirement documentation.

Table 2‑4. Security Impact Level

Security Objective Low, Moderate or High
Confidentiality fips-199-low
Integrity fips-199-low
Availability fips-199-low

Through careful review and analysis, the baseline security categorization for the SHORTNAME system has been determined and is listed in Table 2.5, Baseline Security Configuration, which follows.

Table 2‑5. Baseline Security Configuration

Baseline Security Configuration:  
SHORTNAME-FULLSYSTEMNAME Low Impact

Using this categorization, in conjunction with the risk assessment and any unique security requirements, the security controls for this system have been established as detailed in this FedRAMP Tailored LI-SaaS Framework.

3. Information System Owner

The following individual is identified as the system owner or functional proponent/advocate for this system.

Table 3‑1. Information System Owner

Information System Owner Information  
Name John Doe
Title System Owner
Company / Organization <Company/Organization>.
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

4. Independent Assessor

The following individual is identified as the Independent Assessor for this system.

Table 4‑1. Independent Assessor

Independent Assessor Information  
Name Company X
Title Third Party Assessor
Company / Organization <Company/Organization>.
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

5. Authorizing Official

The Authorizing Official (AO) or Designated Approving Authority (DAA) for the SHORTNAME system is:

Authorizing Official  
Name Jane Doe
Title AO
Company / Organization <Company/Organization>.
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

6. Other Designated Contacts

The individual(s) identified below possess an in-depth knowledge of this system and/or its functions and operation.

Table 6‑1. Information System AO Management Point of Contact

Information System AO Management Point of Contact  
Name Jane Doe
Title Management POC
Company / Organization <Company/Organization>
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

Table 6‑2. Information System AO Technical Point of Contact

Information System AO Technical Point of Contact  
Name Jane Doe
Title Management POC
Company / Organization <Company/Organization>
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

7. Assignment of Security Responsibility

The SHORTNAME Information System Security Officer (ISSO), or their equivalent, identified below, have been appointed in writing and are deemed to have significant cyber and operational role responsibilities.

Table 7‑1. Internal ISSO (or Equivalent) Point of Contact

Internal ISSO (or Equivalent) Point of Contact  
Name Jane Doe
Title ISSM
Company / Organization <Company/Organization>
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

Table 7‑2. AO ISSO Point of Contact

AO ISSO Point of Contact  
Name Jane Doe
Title ISSO
Organization <Company/Organization>.
Address <Address, City, State and Zip>
Phone Number <555-555-5555>
Email Address <email address>

8. Information System Operational Status

The system is currently in the life-cycle phase shown in Table 8.1, System Status, which follows. Only operational systems can be granted an Authority to Operate (ATO).

Table 8‑1. System Status

System Status  
Operational The system is operating and in production.
Under Development The system is being designed, developed, or implemented.
Major Modification The system is undergoing a major change, development, or transition.
Other Explaination required

SHORTNAME-FULLSYSTEMNAME is Operational

System status explained here.

9. Information System Type

The SHORTNAME system makes use of unique managed service provider architecture layer(s).

9.1. Cloud Service Models

Information systems, particularly those based on cloud architecture models, are made up of different service layers. Below are some questions that can help system owners determine if their system is a cloud followed by specific questions to help system owners determine the type of cloud.

Table 9‑1. Determining a Cloud System

Question (Yes/No) Conclusion
Does the system use virtual machines (VM)? A no response means that system is most likely not a cloud.
Does the system have the ability to expand its capacity to meet customer demand? A no response means that the system is most likely not a cloud.
Does the system allow the customer to build anything other than servers? A no response means that the system is an Infrastructure as a Service (IaaS). A yes response means that the system is either a Platform as a Service (PaaS) or a SaaS.
Does the system offer the ability to create databases? A yes response means that the system is a PaaS.
Does the system offer various developer toolkits and Application Programming Interfaces (APIs)? A yes response means that the system is a PaaS.
Does the system offer only applications that are available by obtaining a login? A yes response means that system is a SaaS. A no response means that the system is either a PaaS or an IaaS.

The layers of the SHORTNAME defined in this FedRAMP Tailored LI-SaaS Framework are indicated in Table 9.2, Service Layers Represented in this FedRAMP Tailored LI-SaaS Framework, which follows.

Table 9‑2. Service Layers Represented in this FedRAMP Tailored LI-SaaS Framework

Service Provider Architecture Layers    
- [ X ] Software as a Service (SaaS) Major Application

9.2. Cloud Deployment Models

Information systems are made up of different deployment models. The deployment models of the SHORTNAME that are defined in this FedRAMP Tailored LI-SaaS Framework, and that are not leveraged by any other FedRAMP Authorizations, are indicated in Table 9.3, Cloud Deployment Model Represented in this FedRAMP Tailored LI-SaaS Framework, which follows.

Table 9‑3. Cloud Deployment Model Represented in this FedRAMP Tailored LI-SaaS Framework

Service Provider Cloud Deployment Model
Public Cloud services and infrastructure supporting multiple organizations and agency clients.
Private Cloud services and infrastructure dedicated to a specific organization/agency and no other clients.
Government Only Community Cloud services and infrastructure shared by several organizations/agencies with same policy and compliance considerations.
Hybrid

Explain: (e.g., cloud services and infrastructure that provides private cloud for secured applications and data where required and public cloud for other applications and data).

Explain

9.3. Leveraged Authorizations

The SHORTNAME leverages a pre-existing FedRAMP Authorized IaaS and/or PaaS. FedRAMP Authorizations leveraged by this SHORTNAME are listed in Table 9.4, Leveraged Authorizations, which follows.

Table 9‑4. Leveraged Authorizations

| Leveraged Information System Name | Leveraged Service Provider Owner | Date Granted | | —————————————– | ——————————– | ———— |

sysadmin{“title”=>”System Adminstrator”, “short-name”=>nil, “description”=>”Add/remove users and hardware, install and configure software, OS updates, patches and hotfixes, perform backups.”, “properties”=>”Internal”, “annotations”=>”Privileged (P)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Full administrative access (root)”, “remarks”=>”Moderate”}          
client-adminstrator{“title”=>”Client Administrator”, “short-name”=>nil, “description”=>”Add/remote client users. Create, modify, and delete client applications.”, “properties”=>”External”, “annotations”=>”Non-Privileged (NP)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Portal administration”, “remarks”=>”N/A”}          
program-director{“title”=>”Program Director”, “short-name”=>nil, “description”=>”Reviews, approves and enforces policy.”, “properties”=>”Internal”, “annotations”=>”No Logical Access (NLA)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Project administration”, “remarks”=>”Limited”}          

SHORTNAME leverages {“AWS”=>{“id”=>”FEDRAMP-ID”, “name”=>”Leveraged Service Provider Owner”, “properties”=>”common-but-not-used”, “annotations”=>”common-but-not-used”, “links”=>”common-but-not-used”, “party-id”=>nil, “date-authorized”=>”YYYY-MM-DD”, “remarks”=>nil}, “GCP”=>{“id”=>”FEDRAMP-ID”, “name”=>”Leveraged Service Provider Owner”, “properties”=>nil, “annotations”=>nil, “links”=>nil, “party-id”=>nil, “date-authorized”=>”YYYY-MM-DD”, “remarks”=>nil}}

10. General System Description

This section includes a general description of the SHORTNAME-FULLSYSTEMNAME.

10.1. System Function or Purpose

System purpose or function

10.2. Information System Components and Boundaries

Provide an explicit definition of the system’s Authorization Boundary

A detailed and explicit definition of the system authorization boundary diagram is represented in Figure 10.1, Authorization Boundary Diagram, below.

Figure 10‑1. Authorization Boundary Diagram

Authorization Boundary Diagram

10.3. Types of Users

All personnel have their status categorized with a sensitivity level in accordance with PS-2. Personnel (employees or contractors) of service providers are considered Internal Users. All other users are considered External Users. User privileges (authorization permission after authentication takes place) are described in Table 10.1, Personnel Roles and Privileges, which follows.

Table 10‑1. Personnel Roles and Privileges

Role Internal or External P, NP, NLA Sensitivity Level Authorized Privileges Functions Performed
sysadmin{“title”=>”System Adminstrator”, “short-name”=>nil, “description”=>”Add/remove users and hardware, install and configure software, OS updates, patches and hotfixes, perform backups.”, “properties”=>”Internal”, “annotations”=>”Privileged (P)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Full administrative access (root)”, “remarks”=>”Moderate”}          
client-adminstrator{“title”=>”Client Administrator”, “short-name”=>nil, “description”=>”Add/remote client users. Create, modify, and delete client applications.”, “properties”=>”External”, “annotations”=>”Non-Privileged (NP)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Portal administration”, “remarks”=>”N/A”}          
program-director{“title”=>”Program Director”, “short-name”=>nil, “description”=>”Reviews, approves and enforces policy.”, “properties”=>”Internal”, “annotations”=>”No Logical Access (NLA)”, “links”=>nil, “role-ids”=>nil, “authorized-privileges”=>”Project administration”, “remarks”=>”Limited”}          

10.4. Network Architecture

Assessors should be able to easily map hardware, software, and network inventories back to this diagram. The logical network topology is shown in Figure 10.2, Network Diagram, mapping the data flow between components.

Figure 10.2, Network Diagram(s), provides a visual depiction of the system network components that constitute the SHORTNAME system.

Optional overview of Network Architecture

Figure 10‑2. Network Diagram

Network Diagram

11. System Environment

The FedRAMP Inventory Workbook is included in this document in ATTACHMENT 2 – FedRAMP Inventory Workbook.

11.1. Hardware Inventory

Use the FedRAMP Inventory Workbook to list the principal hardware components for SHORTNAME-FULLSYSTEMNAME.

Note: A complete and detailed list of the system hardware and software inventory is required per NIST SP 800-53, Rev 4 CM-8.

11.2. Software Inventory

Use the FedRAMP Inventory Workbook to list the principal software components for SHORTNAME-FULLSYSTEMNAME.

11.3. Network Inventory

Use the FedRAMP Inventory Workbook to list the principal network devices and components for SHORTNAME-FULLSYSTEMNAME.

11.4. Data Flow

The data flow in and out of the system boundaries is represented in Figure 11.1, Data Flow Diagram, below.

Optional overview of Data Flow

Figure 11‑1. Data Flow Diagram

Data Flow Diagram

11.5. Ports, Protocols, and Services

Table 11.1, Ports, Protocols, and Services, lists the ports, protocols, and services enabled for the SHORTNAME.

Table 11‑1. Ports, Protocols, and Services

| Ports (TCP/UDP) | Protocols | Services | Purpose | Used By | | —————- | ————— | ————– | ————- | ————- |

-       service{“id”=>”common-but-not-used”, “name”=>”ServiceName”, “description”=>”common-but-not-used”, “properties”=>”common-but-not-used”, “annotations”=>”common-but-not-used”, “links”=>”common-but-not-used”, “ssp-protocol”=>nil, “purpose”=>”Purpose”, “remarks”=>”common-but-not-used”, “protocol”=>{“title”=>”common-but-not-used”, “description”=>”common-but-not-used”, “type”=>”common-but-not-used”, “properties”=>”common-but-not-used”, “port-ranges”=>{“start”=>80, “end”=>443, “transport”=>”TLS 1.2”}}}
-       ssp-interconnection{“id”=>”common-but-not-used”, “remote-system-name”=>nil, “annotations”=>”common-but-not-used”, “links”=>”common-but-not-used”, “responsible-parties”=>nil, “remarks”=>”common-but-not-used”}

12. System Interconnections

Table 12.1, System Interconnections, is consistent with the CA-3 Authorized Connections attestation information.

TODO - make forloop

Table 12‑1. System Interconnections

IP Address and Interface External Organization Name and IP Address of System External Point of Contact and Phone Number Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer etc.) Data Direction (incoming, outgoing, or both) Information Being Transmitted Port or Circuit Numbers
-       idcommon-but-not-used
-       remote-system-name
-       annotationscommon-but-not-used
-       linkscommon-but-not-used
-       responsible-parties
-       remarkscommon-but-not-used

EXAMPLE of Table 12‑1. System Interconnections

SP IP Address and Interface External Organization Name and IP Address of System External Point of Contact and Phone Number Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer etc.)

Data Direction

(incoming, outgoing, or both)

 Information Being Transmitted Port or Circuit Numbers
<SP IP Address / Interface> <External Org/IP>

<External Org POC>

<Phone 555-555-5555>

 <Connection Security> Choose an item. <Information Transmitted> <Port/Circuit Numbers>

13. FedRAMP Applicable Laws and Regulations

The FedRAMP Laws and Regulations Template can be found on this page: https://www.fedramp.gov/templates/.

13.1. FedRAMP Tailored LI-SaaS Guidance

Table 13.1, FedRAMP Tailored LI-SaaS Applicable Guidance, includes additional documentation specific to FedRAMP Tailored LI-SaaS information systems.

Table 13‑1. FedRAMP Tailored LI-SaaS Applicable Guidance

Title Date
FedRAMP Tailored Security Requirements for Low Impact Software as a Service (LI-SaaS) Cloud Systems 1/30/2017
NIST SP 800-171 rev 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations 12/2016
NIST Framework for Improving Critical Infrastructure Cybersecurity, v1.0 2/12/2014

.

13.2. APPLICABLE STANDARDS AND GUIDANCE

Table 13.2, SHORTNAME Standards and Guidance, includes any additional standards and guidance specific to SHORTNAME.

Table 13‑2. SHORTNAME Standards and Guidance

Identification Number Title Date Link
<Reference ID> <Reference Title> <Ref Date> <Reference Link>
<Reference ID> <Reference Title> <Ref Date> <Reference Link>
<Reference ID> <Reference Title> <Ref Date> <Reference Link>

  1. FIPS Pub 199: FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Standards for Security Categorization of Federal Information and Information Systems, February 2004; http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf | Identification Number | Title | Date | Link | | ——————— | ——————- | ———— | —————— | | <Reference ID> | <Reference Title> | <Ref Date> | <Reference Link> | | <Reference ID> | <Reference Title> | <Ref Date> | <Reference Link> | | <Reference ID> | <Reference Title> | <Ref Date> | <Reference Link> |

  2. FIPS Pub 199: FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Standards for Security Categorization of Federal Information and Information Systems, February 2004; http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf